Access control is not merely a technical enforcement mechanism—it is a business risk control system that determines how trust, authority, and accountability are exercised across an organization. For CISOs and executives, access control failures rarely appear as isolated incidents; they surface as systemic governance breakdowns, audit findings, insider abuse, regulatory penalties, or breach blast-radius amplifiers.
From a CISSP perspective, access control models answer three executive questions:
- Who is allowed to do what?
- Under which conditions?
- With what business risk trade-off?
1. Core Access Control Models (Policy Intent)
Discretionary Access Control (DAC)
DAC is ownership-driven. The resource owner decides access.
- Strength: Flexibility, ease of collaboration
- Risk: Privilege sprawl, weak accountability
- Executive risk: Shadow access and data leakage
DAC is common in file shares and legacy systems and often persists unnoticed, creating long-term exposure.
Mandatory Access Control (MAC)
MAC enforces centralized, label-based access decisions.
- Strength: Strong confidentiality enforcement
- Risk: Operational rigidity
- Executive use case: Defense, intelligence, regulated environments
MAC removes human discretion, making it resilient but costly to operate.
Role-Based Access Control (RBAC)
RBAC assigns permissions based on job roles.
- Strength: Scalability, auditability
- Risk: Role explosion if unmanaged
- Executive value: Compliance alignment
RBAC is foundational but insufficient alone in dynamic, cloud-native enterprises.
Rule-Based Access Control
Access is granted based on system-enforced rules (time, location, network).
- Strength: Predictable enforcement
- Risk: Static logic in dynamic threat environments
- Often paired with MAC
Attribute-Based Access Control (ABAC)
Decisions are based on attributes (user, device, environment, risk).
- Strength: Granular, Zero Trust–aligned
- Risk: Policy complexity
- Executive relevance: Cloud, SaaS, API ecosystems
ABAC enables adaptive trust decisions but demands strong governance.
2. Formal Security Models
Bell–LaPadula (Confidentiality)
- No Read Up
- No Write Down
- Protects data secrecy
Used where data disclosure is the primary concern.
Biba Model (Integrity)
- No Read Down
- No Write Up
- Protects data correctness
Critical for financial systems, OT, and safety systems.
Clark–Wilson Model (Commercial Integrity)
- Focuses on well-formed transactions and separation of duties
- Uses:
- Transformation Procedures (TPs)
- Integrity Verification Procedures (IVPs)
This is the most business-aligned model, mapping directly to SOX, fraud prevention, and enterprise controls.
Brewer–Nash (Chinese Wall)
- Prevents conflict of interest
- Access changes dynamically based on prior access
Used in consulting, legal, financial advisory, where ethical boundaries matter more than classification labels.
3. Additional CISSP-Referenced Models
- Lattice-Based Models – Formalized access relationships
- Noninterference Models – Prevent information flow leakage
- Information Flow Models – Track how data moves across trust boundaries
- Take-Grant Model – Rights propagation analysis
- Graham–Denning Model – Secure creation/deletion of subjects and objects
These models help CISOs reason about systemic risk, not implement controls directly.
4. Access Control Maturity Model
Level 1 – Ad Hoc
- Shared accounts
- Manual approvals
- High insider risk
Level 2 – Defined
- RBAC implemented
- Periodic reviews
- Still reactive
Level 3 – Managed
- Least privilege
- Separation of duties
- Central IAM governance
Level 4 – Adaptive
- ABAC, risk-based decisions
- Context-aware access
- Integrated logging
Level 5 – Optimized (Zero Trust)
- Continuous verification
- Automated remediation
- Identity becomes the new perimeter
Executives should assess where they are vs. where the business risk demands them to be.
5. CISO Decision Matrix
| Decision Driver | Recommended Model |
|---|---|
| Model Bias | RBAC + Clark–Wilson |
| Regulatory compliance | RBAC + Clark–Wilson |
| Insider threat | Biba + Separation of Duties |
| Cloud & APIs | ABAC |
| National security | MAC + Bell–LaPadula |
| Ethical conflict risk | Brewer–Nash |
| Zero Trust strategy | ABAC + Continuous Authentication |
No single model is sufficient. Layering is mandatory.
6. Strategic Risks CISOs Must Address
- Role creep undermining RBAC
- Overuse of exceptions bypassing policy intent
- Static access in dynamic threat environments
- Lack of linkage between access and business ownership
- Weak auditability and accountability
Most breaches do not exploit exotic flaws—they exploit over-trusted identities.
Executive Takeaway
Access control models are governance instruments, not just technical constructs. Mature organizations evolve from static permission assignment to continuous trust evaluation, where access reflects:
- Business role
- Risk context
- Data sensitivity
- Operational necessity
For CISOs, the real challenge is not choosing a model—but ensuring access decisions consistently reflect business intent, regulatory obligation, and evolving threat reality.
